Skip to main content

Enterprise risk management (ERM) is a comprehensive, systematic approach to identifying, assessing, managing, and monitoring an organisation’s risks. Unlike traditional risk management, which often focuses on specific risks in isolation, ERM provides a holistic view. It integrates risk management into overall strategic planning and decision-making processes.

Jim Micklethwaite
Jim Micklethwaite

Managing Director | Head of Financial Markets

jmicklethwaite@thomasmurray.com

The goal of ERM is to enhance an organisation's ability to achieve its objectives and capitalise on opportunities by:

  • managing uncertainties; and
  • minimising potential threats.

The adoption of ERM has been a journey for financial market infrastructures (FMIs). Twenty years ago only the biggest FMIs had a risk function; now only the smallest do not, although most will be incorporating some form of ERM.

The inclusion of third parties is mandatory under CPMI-IOSCO but it is not always fully implemented. Such third parties may include:

  • other FMIs;
  • settlement banks;
  • liquidity providers;
  • service providers; and
  • participants.

There should be a bilateral interdependence assessment, i.e., of risks posed by an entity to an FMI, and exposures from an FMI to an entity. This latter part, in particular, is often missed.

Controlling risk from participants

Central securities depositories (CSDs) rarely control minimum capital requirements for members, and often do not include operational and other criteria. None are currently looking at cyber resilience, but the EU’s Digital Operational Resilience Act (DORA) and other regulatory frameworks are pushing this. As of June 2024, the Bank of Canada is mandating these measures, and the Canadian Derivatives Clearing Corporation is working on implementing minimum standards for clearing members.

Only 18% of CSDs globally influence the minimum capital requirements for their participants – and, mostly, this is imposed by regulators and central banks based purely on activity, not risk. We see this mainly in central counterparty (CCP) models, where capital varies by risk.

“Uncommonly considered” risk categories

ERM frameworks in FMIs sometimes miss the macro-level risks, but they must account for these as FMIs are systemically important. Examples of these “uncommonly considered” risks include:

Political – Domestic instability, ideological shifts, international conflicts

Sovereign – capital flight, market closure

Project – system replacements, major process changes

Cyber – data loss, operational disruption

Key components of ERM

ERM involves identifying all potential risks that could affect the organisation. It covers everything from operational risks and financial risks, to strategic and reputational risks:

  • Risk assessment involves evaluating the likelihood and impact of identified risks, often through qualitative and quantitative analyses.
  • Risk response means developing strategies to manage each risk, which can include avoidance, mitigation, transfer, or acceptance.
  • Risk monitoring and reporting ensures transparency and accountability. Continuous monitoring of risk factors and the effectiveness of risk management strategies is crucial.

How ERM differs from other forms of risk management

Traditional risk management tends to address specific risks independently, such as credit risk or operational risk. ERM, on the other hand, is a holistic approach. It considers the interconnections and cumulative impact of various risks on the entire organisation.

Strategic integration is a key feature of ERM. ERM is woven into an organisation's strategic planning process, where it aligns risk management with the overall goals and objectives. Traditional risk management often operates in silos, separate from strategic planning.

ERM emphasises proactive risk management, with a focus on anticipating and preparing for potential risks. Traditional approaches are often more reactive, dealing with risks as they arise.

ERM also involves a broad range of stakeholders, including top management, the board of directors, and heads of department. This collaborative approach contrasts with traditional risk management, which may be confined to specific departments.

The importance of ERM in financial market infrastructures

FMIs are the critical components of the global financial system, encompassing entities such as clearinghouses, payment systems, and securities depositories. For FMIs, ERM is particularly vital due to the complex and interconnected nature of financial markets:

  1. Enhancing stability: ERM helps FMIs manage systemic risks that could threaten the stability of the financial system. By adopting a holistic risk management approach, FMIs can better anticipate and mitigate risks that could lead to market disruptions.
  2. Regulatory compliance: FMIs operate under stringent regulatory frameworks designed to ensure the integrity and stability of financial markets. ERM provides a structured approach to compliance, helping FMIs meet regulatory requirements and avoid penalties.
  3. Operational resilience: ERM ensures that FMIs maintain operational resilience in the face of disruptions, such as cyberattacks, technical failures, or natural disasters. This resilience is critical for maintaining trust and confidence in the financial system.
  4. Strategic decision-making: For FMIs, strategic decision-making must consider a wide range of risks, from market volatility to technological advancements. ERM provides the tools and insights needed to make informed, strategic decisions that align with the organisation’s risk appetite and objectives.

Navigating uncertainties

ERM is an essential framework for managing risks in a comprehensive and integrated manner. In the context of FMIs, ERM's holistic approach to risk management is critical for enhancing stability, ensuring regulatory compliance, maintaining operational resilience, and supporting strategic decision-making. By embracing ERM, FMIs can better navigate the complexities and uncertainties of the financial markets, ultimately contributing to a more stable and resilient financial system.

For organisations and professionals involved in financial market infrastructures, understanding and implementing ERM can lead to more robust risk management practices and improved operational efficiency.

Since 2001, Thomas Murray has offered CSD risk assessments specifically designed to support network management and risk functions. Our assessments are tracked against best market practices, supported by participants, and open to CSDs for review.

Our assessments are ‘living’ reports, rather than questionnaire-based, which means they are continuously updated. We assess eight distinct risks, based around core functions:

  1. Settlement
  2. Safekeeping
  3. Asset servicing
  4. Operational
  5. Financial
  6. Oversight/Transparency
  7. Cybersecurity
  8. ESG

To find out more about CSD risk assessments, the role of ERM in safeguarding FMIs, or any of our other bank network management services, please contact me and the team.

Orbit Risk short

Orbit Risk

Achieve trust, transparency and security with a single platform. A leading solution for companies looking to digitise and automate their risk management, leveraging Intelligence, Diligence and Security.

learn more